In the last couple of weeks I have been reading different white papers related to network computer defense and the general idea in all of them is that the industry is moving towards a dynamic approach to computer network defense. In the past, IT would be dealing with the defense of corporate networks however that is no longer the case.
The enterprise security cycle is the following: plan, resist, detect and respond. Plan and resist are part of the IT department working with management to define the security posture and implement the security mechanism to maintain that security posture. These mechanisms are automatic counter-measures such as firewalls, IDS, IPS, DLP and all of those technologies. On the other hand we have detect and respond which nowadays are very importan compared to years before. The nature of the attacks hitting corporate networks are getting very sophisticated and the main assumption is that your organization is already compromised. They are part of the Incident response function in the organization. The question here is, what are you doing to stop or mitigate the harm caused by these attacks? In the past looking at the network security console was enough to detect most threat actors. Today the industry has defined a new threat factor – the so called APT. These attacks are stealth in nature and aimed at industrial and goverment espionage to target high value information. To stop this attack you understand the threat itself, its intent, capability, doctrine, and patterns of operation to establish resilience and and mitigate as much as possible the threat.
Within this complex context the cyber kill chain methodology was developed by Lockeed Martin Corporation, a methodology that has the military concept of kill chain as a foundation. A kill chain is the structure of an attack:
- Target identification
- Force dispatch to target
- Decision and order to attack the target
- Destruction of the target
This kill chain model sits in the detect and response phase of the network defensive operations and is composed of collections, analysis, escalation and resolution. Collection is the most important of all of them and the rest of them rely on this first component. This phase is the phase to gather the data needed to decide wether activity is normal suspicious or malicious. The kill chain defines exactly what data needs to be collected from the network in order to make the decisions needed to defend the network.
In a kill chain model, one mitigation breaks the chain of attack and thwarts the adversary, therefore a repetition by the adversary is a liability that the defenders must recognize and leverage. The desireble outcome is one in which defenders, implement counter-measures faster than adversaries evolve and raising up the total cost an adversary must expend to achieve their objectives. The earlier the detection of the adversary in this chain of events the more risk is mitigated and higher the costs for the adversary to reach their desired target.
A kill chain is a systematic process to target and engage an adversary to create desired effects. U.S. military targeting doctrine defines the steps of this process as find, fix, track, target, engage, assess (F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; target with suitable weapon or asset to create desired effects; engage adversary; assess effects (U.S. Department of Defense, 2007). This is an integrated, end-to-end process described as a “chain” because any deficiency will interrupt the entire process.
The intrusion kill chain becomes a model for actionable intelligence when defenders align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise. This approach is the essence of intelligence-driven CND: basing security decisions and measurements on a keen understanding of the adversary.
With this I hope I have covered the basics of the Cyber Kill Chain and the process Analyst and Incident Responders need to follow in order to protect their networks better. There is still one more article I would like to pair with this one to support the Cyber Kill Chain, Psychological Incident Handling. This white paper describes how following an Psycological Incident Handlind process allows analysts to ascertain better the sort of threat and potential impact that an attack has on the organization.